diff --git a/colmena/local.nix b/colmena/local.nix new file mode 100644 index 0000000..a610670 --- /dev/null +++ b/colmena/local.nix @@ -0,0 +1,14 @@ +{ name, nodes, config, lib, pkgs, ... }: + +{ + deployment = { + allowLocalDeployment = true; + targetHost = null; + tags = [ "local" ]; + }; + + environment.systemPackages = with pkgs; [ + colmena + npins + ]; +} diff --git a/colmena/remote.nix b/colmena/remote.nix new file mode 100644 index 0000000..efe4e6e --- /dev/null +++ b/colmena/remote.nix @@ -0,0 +1,12 @@ +{ name, nodes, config, lib, pkgs, ... }: + +{ + deployment = { + targetHost = "${name}.birdsong.network"; + tags = [ "remote" ]; + }; + + imports = [ + ../common/openssh.nix + ]; +} diff --git a/common/nginx.nix b/common/nginx.nix new file mode 100644 index 0000000..a5a91c6 --- /dev/null +++ b/common/nginx.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +{ + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + appendHttpConfig = '' + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'strict-origin-when-cross-origin'; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "accounts@katherina.rocks"; # TODO: replace with more appropriate email + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} \ No newline at end of file diff --git a/common/openssh.nix b/common/openssh.nix new file mode 100644 index 0000000..5e9651a --- /dev/null +++ b/common/openssh.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: + +{ + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; + + services.fail2ban.enable = true; + + networking.firewall.allowedTCPPorts = [ 22 ]; + + # Allow remote root login only from home network + # TODO: Find a less hacky way of doing remote deployment + users.users.root.openssh.authorizedKeys.keys = config.users.users.qenya.openssh.authorizedKeys.keys; + services.openssh.extraConfig = "Match Address 45.14.17.200\n PermitRootLogin prohibit-password"; +} \ No newline at end of file diff --git a/common/steam.nix b/common/steam.nix new file mode 100644 index 0000000..e03ca13 --- /dev/null +++ b/common/steam.nix @@ -0,0 +1,9 @@ +{ config, lib, pkgs, ... }: + +{ + programs.steam = { + enable = true; + remotePlay.openFirewall = true; + dedicatedServer.openFirewall = true; + }; +} \ No newline at end of file diff --git a/hive.nix b/hive.nix index f331dc7..6c0d560 100644 --- a/hive.nix +++ b/hive.nix @@ -2,30 +2,36 @@ let sources = import ./npins; in { meta.nixpkgs = sources.nixpkgs; - defaults = { pkgs, ... }: { + defaults = { name, nodes, ... }: { + deployment.replaceUnknownProfiles = false; + networking.hostName = name; + + nixpkgs.config.allowUnfree = true; + imports = [ (import "${sources.home-manager}/nixos") + ./pinning.nix + ./users/qenya.nix ]; - deployment.replaceUnknownProfiles = false; - - # Make point systemwide to the pinned nixpkgs above - # https://jade.fyi/blog/pinning-nixos-with-npins/ - nix.settings.experimental-features = "nix-command flakes"; - nixpkgs.flake.source = sources.nixpkgs; - nix.nixPath = ["nixpkgs=flake:nixpkgs"]; }; tohru = { name, nodes, ... }: { - deployment = { - allowLocalDeployment = true; - targetHost = null; - }; + networking.hostId = "31da19c1"; + time.timeZone = "Europe/London"; - imports = [ ./hosts/tohru/configuration.nix ]; + imports = [ + ./colmena/local.nix + ./hosts/tohru/configuration.nix + ]; }; - yevaud = { - deployment.targetHost = "yevaud.birdsong.network"; - imports = [ ./hosts/yevaud/configuration.nix ]; + yevaud = { name, nodes, ... }: { + networking.hostId = "09673d65"; + time.timeZone = "Etc/UTC"; + + imports = [ + ./colmena/remote.nix + ./hosts/yevaud/configuration.nix + ]; }; } diff --git a/home/btop.nix b/home/btop.nix new file mode 100644 index 0000000..6d4f49b --- /dev/null +++ b/home/btop.nix @@ -0,0 +1,5 @@ +{ config, lib, pkgs, ... }: + +{ + programs.btop.enable = true; +} diff --git a/home/cli.nix b/home/cli.nix new file mode 100644 index 0000000..b23d81f --- /dev/null +++ b/home/cli.nix @@ -0,0 +1,12 @@ +{ config, lib, pkgs, ... }: + +{ + home.packages = with pkgs; [ + tree # like `ls -R` but nicer + + # Extremely important + fortune + cowsay + lolcat + ]; +} diff --git a/home/firefox.nix b/home/firefox.nix new file mode 100644 index 0000000..95e399e --- /dev/null +++ b/home/firefox.nix @@ -0,0 +1,6 @@ +{ config, lib, pkgs, ... }: + +{ + # TODO: nix-ify Firefox config + programs.firefox.enable = true; +} diff --git a/home/gnome/appearance.nix b/home/gnome/appearance.nix new file mode 100644 index 0000000..129aa1a --- /dev/null +++ b/home/gnome/appearance.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +{ + dconf = { + enable = true; + settings = + let + backgroundOptions = { + color-shading-type = "solid"; + picture-options = "zoom"; + picture-uri = "${config.home.homeDirectory}/.background-image"; + primary-color = "#3a4ba0"; + secondary-color = "#2f302f"; + }; + in + { + "org/gnome/desktop/background" = backgroundOptions // { + picture-uri-dark = backgroundOptions.picture-uri; + }; + "org/gnome/desktop/screensaver" = backgroundOptions; + "org/gnome/desktop/interface".color-scheme = "prefer-dark"; + }; + }; + home.file.".background-image".source = ./background-image.jpg; +} diff --git a/hosts/tohru/background-image.jpg b/home/gnome/background-image.jpg similarity index 100% rename from hosts/tohru/background-image.jpg rename to home/gnome/background-image.jpg diff --git a/home/gnome/default.nix b/home/gnome/default.nix new file mode 100644 index 0000000..9e5a1ee --- /dev/null +++ b/home/gnome/default.nix @@ -0,0 +1,8 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + # TODO: nix-ify other parts of GNOME config + ./appearance.nix + ]; +} diff --git a/home/vscode.nix b/home/vscode.nix new file mode 100644 index 0000000..8d6efee --- /dev/null +++ b/home/vscode.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, ... }: + +{ + programs.vscode = + let + system = builtins.currentSystem; + sources = import ../npins; + extensions = (import sources.nix-vscode-extensions).extensions.${system}; + in + { + enable = true; + enableExtensionUpdateCheck = false; + enableUpdateCheck = false; + package = pkgs.vscodium; + extensions = (with pkgs.vscode-extensions; [ + jnoortheen.nix-ide + ms-python.python + ]) ++ (with extensions.open-vsx; [ + robbowen.synthwave-vscode + ]); + mutableExtensionsDir = false; + userSettings = { + "extensions.autoUpdate" = false; + "git.autofetch" = true; + "nix.enableLanguageServer" = true; + "nix.serverPath" = "nil"; + "nix.serverSettings".nil = { + diagnostics.ignored = [ "unused_binding" "unused_with" ]; + formatting.command = [ "nixpkgs-fmt" ]; + }; + "workbench.colorTheme" = "SynthWave '84"; + }; + }; + + # Language servers etc + home.packages = with pkgs; [ + nil + nixpkgs-fmt + ]; +} diff --git a/hosts/tohru/configuration.nix b/hosts/tohru/configuration.nix index b39db2f..637d9cb 100644 --- a/hosts/tohru/configuration.nix +++ b/hosts/tohru/configuration.nix @@ -4,27 +4,22 @@ imports = [ ./hardware-configuration.nix - ../../users/qenya.nix ./home.nix + ../../common/steam.nix ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.loader.systemd-boot.editor = false; - networking.hostName = "tohru"; - networking.hostId = "31da19c1"; networking.networkmanager.enable = true; - time.timeZone = "Europe/London"; - i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "uk"; services.xserver.enable = true; services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; - services.xserver.xkb.layout = "gb"; services.printing.enable = true; @@ -32,20 +27,6 @@ sound.enable = true; hardware.pulseaudio.enable = true; - environment.systemPackages = with pkgs; [ - colmena - git - npins - wget - ]; - - programs.steam = { - enable = true; - remotePlay.openFirewall = true; - dedicatedServer.openFirewall = true; - }; - - nixpkgs.config.allowUnfree = true; hardware.enableAllFirmware = true; services.fwupd.enable = true; services.fstrim.enable = true; diff --git a/hosts/tohru/home.nix b/hosts/tohru/home.nix index 44eb80b..6451627 100644 --- a/hosts/tohru/home.nix +++ b/hosts/tohru/home.nix @@ -2,81 +2,19 @@ { home-manager.users.qenya = { pkgs, ... }: { - home.homeDirectory = config.users.users.qenya.home; - - home.packages = with pkgs; [ - fortune - htop - tree - - bitwarden - tor-browser-bundle-bin - - nil - nixpkgs-fmt + imports = [ + ../../home/btop.nix + ../../home/cli.nix + ../../home/firefox.nix + ../../home/gnome + ../../home/vscode.nix ]; - dconf = { - enable = true; - settings = - let - backgroundOptions = { - color-shading-type = "solid"; - picture-options = "zoom"; - picture-uri = "${config.users.users.qenya.home}/.background-image"; - primary-color = "#3a4ba0"; - secondary-color = "#2f302f"; - }; - in - { - "org/gnome/desktop/background" = backgroundOptions // { - picture-uri-dark = backgroundOptions.picture-uri; - }; - "org/gnome/desktop/screensaver" = backgroundOptions; - "org/gnome/desktop/interface".color-scheme = "prefer-dark"; - }; - }; - home.file.".background-image".source = ./background-image.jpg; - + home.packages = with pkgs; [ + bitwarden + tor-browser-bundle-bin + ]; programs.chromium.enable = true; - programs.firefox.enable = true; - - programs.git = { - enable = true; - userName = "Katherina Walshe-Grey"; - userEmail = "git@katherina.rocks"; - }; - - programs.vscode = - let - system = builtins.currentSystem; - sources = import ../../npins; - extensions = (import sources.nix-vscode-extensions).extensions.${system}; - in - { - enable = true; - enableExtensionUpdateCheck = false; - enableUpdateCheck = false; - package = pkgs.vscodium; - extensions = (with pkgs.vscode-extensions; [ - jnoortheen.nix-ide - ms-python.python - ]) ++ (with extensions.open-vsx; [ - robbowen.synthwave-vscode - ]); - mutableExtensionsDir = false; - userSettings = { - "extensions.autoUpdate" = false; - "git.autofetch" = true; - "nix.enableLanguageServer" = true; - "nix.serverPath" = "nil"; - "nix.serverSettings".nil = { - diagnostics.ignored = [ "unused_binding" "unused_with" ]; - formatting.command = [ "nixpkgs-fmt" ]; - }; - "workbench.colorTheme" = "SynthWave '84"; - }; - }; home.stateVersion = "23.11"; }; diff --git a/hosts/yevaud/configuration.nix b/hosts/yevaud/configuration.nix index 06a3d29..289bff2 100644 --- a/hosts/yevaud/configuration.nix +++ b/hosts/yevaud/configuration.nix @@ -1,97 +1,15 @@ { config, lib, pkgs, ... }: { - imports = - [ - ./hardware-configuration.nix - ../../users/qenya.nix - ]; + imports = [ + ./hardware-configuration.nix + ./home.nix + ./forgejo.nix + ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "yevaud"; - networking.hostId = "09673d65"; - - time.timeZone = "Etc/UTC"; - - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "no"; - }; - }; - - # Allow remote root login only from home network - # TODO: Find a less hacky way of doing remote deployment - users.users.root.openssh.authorizedKeys.keys = config.users.users.qenya.openssh.authorizedKeys.keys; - services.openssh.extraConfig = "Match Address 45.14.17.200\n PermitRootLogin prohibit-password"; - - networking.firewall.allowedTCPPorts = [ 22 80 443 ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - - services.fail2ban.enable = true; - - services.nginx = { - enable = true; - - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - - appendHttpConfig = '' - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header 'Referrer-Policy' 'strict-origin-when-cross-origin'; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - - virtualHosts = { - "git.katherina.rocks" = { - forceSSL = true; - enableACME = true; - locations."/".proxyPass = "http://[::1]:3000/"; - }; - }; - }; - security.acme = { - acceptTerms = true; - defaults.email = "accounts@katherina.rocks"; - }; - - services.forgejo = { - enable = true; - stateDir = "/data/forgejo"; - settings = { - DEFAULT.APP_NAME = "git.katherina.rocks"; - cache = { - ADAPTER = "twoqueue"; - HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}''; - }; - database = { - DB_TYPE = "sqlite3"; - SQLITE_JOURNAL_MODE = "WAL"; - }; - security.LOGIN_REMEMBER_DAYS = 365; - server = { - DOMAIN = "git.katherina.rocks"; - HTTP_PORT = 3000; - ROOT_URL = "https://git.katherina.rocks/"; - }; - service.DISABLE_REGISTRATION = true; - }; - }; - system.stateVersion = "23.11"; - } diff --git a/hosts/yevaud/forgejo.nix b/hosts/yevaud/forgejo.nix new file mode 100644 index 0000000..31e8494 --- /dev/null +++ b/hosts/yevaud/forgejo.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + ../../common/nginx.nix + ]; + + # TODO: ssh access + # TODO: email out + # TODO: interface customisation + + services.nginx.virtualHosts = { + # TODO: move to new domain + "git.katherina.rocks" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://[::1]:3000/"; + }; + }; + + services.forgejo = { + enable = true; + stateDir = "/data/forgejo"; + settings = { + DEFAULT.APP_NAME = "git.katherina.rocks"; + cache = { + ADAPTER = "twoqueue"; + HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}''; + }; + database = { + DB_TYPE = "sqlite3"; + SQLITE_JOURNAL_MODE = "WAL"; + }; + security.LOGIN_REMEMBER_DAYS = 365; + server = { + DOMAIN = "git.katherina.rocks"; + HTTP_PORT = 3000; + ROOT_URL = "https://git.katherina.rocks/"; + }; + service.DISABLE_REGISTRATION = true; + }; + }; +} diff --git a/hosts/yevaud/home.nix b/hosts/yevaud/home.nix new file mode 100644 index 0000000..d5bb904 --- /dev/null +++ b/hosts/yevaud/home.nix @@ -0,0 +1,12 @@ +{ config, lib, pkgs, ... }: + +{ + home-manager.users.qenya = { pkgs, ... }: { + imports = [ + ../../home/btop.nix + ../../home/cli.nix + ]; + + home.stateVersion = "23.11"; + }; +} diff --git a/pinning.nix b/pinning.nix new file mode 100644 index 0000000..9ac8584 --- /dev/null +++ b/pinning.nix @@ -0,0 +1,10 @@ +{ config, lib, pkgs, ... }: + +let sources = import ./npins; +in { + # Make point systemwide to the pinned nixpkgs + # https://jade.fyi/blog/pinning-nixos-with-npins/ + nix.settings.experimental-features = "nix-command flakes"; + nixpkgs.flake.source = sources.nixpkgs; + nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; +} diff --git a/users/qenya.nix b/users/qenya.nix index 9310f7b..7d10ede 100644 --- a/users/qenya.nix +++ b/users/qenya.nix @@ -13,4 +13,16 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEmkV9arotms79lJPsLHkdzAac4eu3pYS08ym0sB/on qenya@tohru" ]; }; -} \ No newline at end of file + + home-manager.users.qenya = { config, lib, pkgs, osConfig, ... }: { + home.homeDirectory = osConfig.users.users.qenya.home; + + programs.git = { + enable = true; + userName = "Katherina Walshe-Grey"; + userEmail = "git@katherina.rocks"; # TODO: update email + }; + + home.stateVersion = "23.11"; + }; +}